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I submit this Report in the above-captioned action on behalf Ira Kleiman, as the personal 
representative of the Estate of David Kleiman, and W&K Info Defense Research, LLC 
(collectively, “Plaintiffs”). 

If called as a witness, I could and would testify to the truth of these facts and opinions 
under oath. 

I. BACKGROUND AND QUALIFICATIONS 

1. I am over the age of eighteen (18), not a party to this action, and currently reside in 
New York, NY. My education, training, and experience fully qualify me to make the statements 
contained in this Report. 

es I received a B.S. in Computer Science from Baylor University in 2005, a MLS. in 
Computer Science from Rensselaer Polytechnic Institute in 2007, and a Ph.D. in Computer Science 
from Rensselaer Polytechnic Institute in 2011. 

a I have authored or co-authored multiple research papers in peer-reviewed 
conferences and journals related to techniques for cryptographic security and authentication in 
wireless networks, and the design, implementation, and analysis of anonymous communication 
systems on the Internet. 

4. As a Lead Cyber Security Engineer at The MITRE Corporation I supported the 
FBI’s Remote Operations Unit in the technical efforts of identifying the Tor hidden service hosting 
the Silk Road marketplace. I subsequently provided on-site support to the FBI’s New York field 
office to affect the seizure of bitcoins located on Silk Road servers and Ross Ulbricht’s personal 
laptop and other devices, as well as the Silk Road webserver itself. Later, as a Senior Director at 
FTI Consulting, I provided consulting to the U.S. Attorney’s Office for the Southern District of 


New York in which I analyzed digital forensic evidence collected as part of the investigation to 
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establish substantial and ongoing links between bitcoin wallets identified on Silk Road servers and 
Ulbricht’s personal bitcoin wallets, which was presented at Ulbricht’s trial. 

oF I have served as an invited member of the technical program committee for the 
Association for Computing Machinery’s Conference on Computer and Communications Security. 
I have also served as an invited member of the technical program committee for the International 
Financial Cryptography Association’s International Conference on Financial Cryptography and 
Data Security. Additionally, I have served as an external reviewer for several academic 
conferences and journals, including The Institution of Engineering and Technology’s Information 
Security Journal and the Privacy Enhancing Technologies Symposium. 

6. Since 2015, I have been a Director in the Cyber Security & Investigations practice 
at Berkeley Research Group, LLC (“BRG’”’), a global strategic advisory and expert consulting firm. 
I regularly provide expert consultation to clients regarding computer and network security, as well 
as conduct cyber incident response and investigative analysis. 

ve From 2014 to 2015, I was a Senior Director in the Cyber Security & Investigations 
Group of FTI Consulting, Inc.’s Global Risk and Investigations Practice. I worked on numerous 
matters related to computer and network security, and forensic evidence collection and analysis. 

8. From 2013 to 2014, I was a Senior Vulnerability Engineer in Bloomberg LP’s 
Vulnerability Analysis Team. I focused on data security and worked to protect sensitive data from 
both internal and external threats through continuous cyber security research and testing of the 
firm’s network infrastructure, websites, software, and mobile applications. 

9: From 2009 to 2013, I was a Lead Cyber Security Engineer in The MITRE 
Corporation, a federally funded research and development center, where I specialized in research 


and development of systems for anonymous communication on the Internet. 
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10. I hold a current AccessData Certified Examiner credential, which is a certification 
recognized in the field of digital forensics. 


i, A copy of my curriculum vitae is attached below as Exhibit 1. 


Il. SUMMARY OF OPINIONS 

12. _—_ I have been asked to analyze certain documents submitted by Craig Wright (the 
“Defendant’) in this litigation and determine, to the extent possible, whether they are authentic, 
including but not limited to whether the documents and/or their associated metadata have been 
manipulated or altered since their creation. As part of this analysis, I analyzed the original “native” 
files associated with these documents and their associated metadata. Additionally, some of the 
documents I reviewed contained cryptographic signatures, which I also analyzed. 

13. My analysis determined that certain documents produced by the Defendant in this 
litigation were manipulated — including a number of emails that were purportedly sent by Dave 


Kleiman — and are, therefore, not authentic. 


Il. MATERIALS REVIEWED AND INFORMATION CONSIDERED 
14. In forming the opinions expressed in this Report, I have relied on my own 
education, knowledge, experience, and training in computer science, as well as my specific 
education, knowledge, experience, and training in the fields of applied cryptography and digital 
forensics. In addition to the documents cited and information provided in this Report, I have also 
considered the documents listed at the end of this Report in forming my opinion. 
15. I may review additional documents and information produced by the Parties, as 


well as deposition testimony provided after the submission of my Report, if any. 
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IV. METHODOLOGY 


16. The methodology for analyzing the documents described in this report generally 
comprises the following components: (i) reviewing the “human-readable” contents of the 
documents (e.g. the visible text in an email or PDF file), (ii) analyzing the internal “machine- 
readable” code or structure contained within the documents’ native files (e.g. the object code 
within a PDF file), and (111) identifying and extracting metadata about the documents (e.g. 
information about how the documents were created, when, and by whom). 

17. | Some documents I reviewed also included cryptographic signatures within the 
visible contents of the documents or embedded in their internal structure. A cryptographic 
signature is a mathematical technique for certifying and subsequently verifying the origin and 
authenticity of arbitrary computer data, such as a file, email, or other electronic document. The 
signature thus allows the recipient to verify the data (i) originated from the expected sender and 
(11) has not been altered. Additionally, a cryptographic signature can also include other information 
about the signature, such as the identity of the individual and/or program that created the 


cryptographic signature and a timestamp indicating when that signature was created. 


V. DOCUMENT ANALYSIS 


A. DEF_00002413 
18. [reviewed DEF 00002413, which is a PDF of a purported email sent from Dave 
Kleiman to the Defendant on June 24, 2011 attaching certain documents related to the Tulip Trust. 


(Fig. 1.) I understand that the Defendant has sworn to the authenticity of this document through a 
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declaration submitted to this Court. (Ex. 2.) I also understand that this document was produced by 


the Defendant as a scan of a hard copy paper document in this litigation. 
FIGURE 1. DEF_0002413 


From: Dave Kelman. 

To: Craig S Wright 

Subject: Requested attached, 

Date: Friday, 24 June 2011 12:04:57 PM 
Attachments: Tullo Trust.odfasc 


Importance: High 


Craig, 
{ think you are mad and this is risky, but I believe in what we are trying to do. 


Respectfully, 
Dave Kleiman - 
4371 Northlake Blvd #314 


Palm Beach Gardens, FL 33410 
$61.310.8801 





19. — Lalsoreviewed DEF 00013189 and DEF 00013459, which are PDF files produced 
by the Defendant in this litigation. As shown in Figures 2 and 3, the text of DEF_00013459 and 
DEF _00013189 is identical to that of the purported email in DEF 00002413, except the date of 
the purported email in DEF_00013459 is October 17, 2014 instead of June 24, 2011. 

20. I extracted the three attachments from DEF 00013189 and DEF 00013459 which 
are identified in the “Attachment” line of the email files. I compared the hash values! of the 
attachments I extracted from both PDFs and determined the attachments in DEF 00013189 were 


identical to those in DEF 00013459. Further, the text of “Tulip Trust.pdf”’ that I extracted from 


' Hash values (or simply “hashes’”) represent large amounts of data as much smaller numeric 
values, such that (i) a small change to the input data results in a large change in the hash value, 
and (ii) it is impractical to determine the input data from just the hash value. Hashes are commonly 
used with cryptographic signatures. 
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the two documents is identical to the version attached to the paper scans as Bates numbers 


DEF _00002414-15 that the Defendant swore were authentic. 


FIGURE 2. DEF 00013459 


pestend attic trect 
Friday, 17 October 2014 12:04:57 PM 


Craig. 
I think you are mad and this is msky, but I believe in what we are trying to do 


Respectfully, 
Dave Kleiman - itp. www ComputerF orensicE xamuner com - bitp. www DigitalForensicE xpert com 
4371 Northlake Blvd #314 


Palm Beach Gardens, FL 33410 
561.310.8801 





FIGURE 3. DEF 00013189 


equested attache 
Friday, 24 June 2011 12:04:57 PM 


Craig, 
I think you are mad and this is nsky, but I believe in what we are trying to do 


Respectfully. 


Dave Kleiman - bitpJwww. ComputerF orensic Examiner com - itp www DigitalForensicExpert com 


4371 Northlake Blvd #314 
Palm Beach Gardens, FL 33410 
561.310.8801 
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21. IT extracted the metadata associated with DEF 00013189 and DEF 00013459 using 
a hex editor.” I have attached the relevant outputs that I analyzed at Exhibits 3 - 4 (DEF_00013189) 
and Exhibits 5-10 (DEF 00013459). The metadata contained within the PDF files associated with 
Exhibits 3-4 and Exhibits 5-10 contain DocumentID and InstanceID attributes. A PDF’s 
“DocumentID” is a common identifier used to associate multiple versions or revisions of a 
particular document, whereas the “InstanceID” is a unique identifier assigned to a specific version 
or revision of that document. I determined that DEF_ 00013189 and DEF 00013459 contain the 
same DocumentID but different InstanceID values, which indicates that they are different versions 
of the same original document. 

22. Based on my review of Exhibits 5-10, it is my opinion that DEF 00013459 was 
created by exporting an email from Microsoft Outlook to PDF. The metadata contained in 
DEF _ 00013459 indicates the original email was sent on or around October 17, 2014 by an 
individual using the email account craig@panopticrypt.com and from a computer named 
PCCSW01. It then passed through multiple email servers before being delivered by a server in the 
time zone UTC-5 to the same address that sent it, craig@panopticrypt.com. Once the email was 
exported to PDF, the resulting PDF was modified to appear as if Dave Kleiman had sent the email 
to Craig Wright. 

23. Exhibits 5-6 further shows that the purported email in DEF_00013459 was created 


using Microsoft Outlook 15.0. I reviewed the Microsoft Outlook version history from a support 


? A hex editor is a software program that allows the user to see or edit the raw and exact contents 
of a file, as opposed to the interpretation of the same content that other, higher level application 
software may associate with the file format. For example, this could be raw image data, in contrast 
to the way image editing software would interpret and show the same file. 
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page on microsoft.com. (Ex. 11.) Based on my review of Microsoft Outlook’s version history, I 
determined that Microsoft Outlook 15.0 was not released to the general public until January 2013. 

24. Exhibits 5-6 also contain an IP address associated with the individual who sent the 
original email from within Microsoft Outlook. That IP address is 14.1.18.30. I looked up certain 
information related to that IP address using the MaxMind GeoIP2 Precision service, which is a 
publicly available service used to identify certain geographical information associated with a 
particular IP address. The GeoIP2 Precision service shows the IP address is associated with Eastern 
Australia. (Ex. 12.) 

25, Based on my review of Exhibits 3-4, it is my opinion that DEF 00013189 was 
created by making further edits to DEF 00013459. Specifically, the PDF was modified to make it 
appear as if the email was sent on June 24, 2011. 

26. [also reviewed DEF_00079344, which is an email file produced by the Defendant 
as a .msg> file a few days before the June 28, 2019 hearing in this matter. The text of 
DEF _ 00079344 is identical to the text in DEF 00002413 and DEF 00013189. 

ay I extracted the email header information associated with DEF 00079344 which is 
attached at Exhibit 13. The email header contains a timestamp added by Google which is encoded 
in milliseconds as a “Unix epoch” timestamp.* The timestamp indicates the purported email in 
DEF _ 00079344 was received by Google’s email server on or about October 24, 2012, over a year 


after the date of the alleged email in DEF_00079344 and DEF_00002413. (Ex. 14.) 


3 A .msg file is an email file format commonly associated with Microsoft Outlook. It typically 
includes not only the content of the email, but also email “header” information and any attachments 
included with the email. 

4 A “Unix epoch” timestamp (or sometimes just “Unix timestamp’? is a numeric value indicating 
the time elapsed since midnight on January 1, 1970 UTC. It is usually expressed in seconds but 
can also be expressed in milliseconds. 


10 
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28. Accordingly, it is my opinion that DEF_00002413 is not an authentic document, 
but is a forgery created from an email that was sent from craig@panopticrypt.com to 
craig@panopticrypt.com on or about October 17, 2014 and then modified to make it appear as if 


the email was sent from Dave Kleiman on June 24, 2011. 


B. DEF _00013188 

29. — I reviewed DEF_ 00013188, which is a purported email sent from Dave Kleiman to 
the Defendant on April 2, 2013 in which Dave allegedly accepts a role at Coin-Exch. 
DEF _ 00013188 was produced by the Defendant as a PDF file. 

30. I extracted and analyzed the metadata associated with DEF 00013188. (Ex. 15) 
The extracted metadata indicates that DEF 00013188 contains the same Document ID as 
DEF_00013459 and DEF 00013189, but a different InstanceID, which indicates DEF 00013188 
is another revision of the same document. 

31. I also reviewed the cryptographic signature contained within DEF 00013188. I 
used GnuPG to extract certain information from the GPG signature. GnuPG is a free software 
program that can be used to encrypt, decrypt, and cryptographically sign and verify documents 
and other electronic information. I have attached the GnuPG output associated with this 
cryptographic signature at Exhibit 16. The timestamp from the cryptographic signature contained 
within DEF 00013188 indicates that the signature was created on or about October 23, 2014, 
according to the computer on which the signature was created—over a year after Dave Kleiman 
died. 

32. Exhibit 16 also indicates that the key used to create the cryptographic signature in 
DEF _ 00013188 is the same key used to create the cryptographic signature in DEF 00002416 of 


the “Tulip Trust.pdf” file allegedly sent by Dave Kleiman to Craig Wright in June 2011. (Ex. 17.) 


11 
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33. Based on my review of the metadata contained in Exhibit 15 and the information 
associated with the cryptographic signature, it is my opinion that DEF 00013188 is not an 
authentic email sent by Dave Kleiman in April 2013, but is a forgery created by further modifying 
DEF _00013189 to make it appear as if the email was sent from Dave Kleiman to the Defendant 


on April 2, 2013. 


C, DEF _00050985 

34. — IT reviewed DEF_ 00050985, which is a purported Deed of Trust between Wright 
International Investments Ltd and Tulip Trading Ltd dated October 23, 2012. I understand that the 
Defendant has sworn to the authenticity of this document through a declaration submitted to this 
Court and referred to it as Tulip Trust 1. (Ex. 2.) DEF_00050985 was produced by the Defendant 
as a PDF file. 

35. I extracted and analyzed the metadata associated with DEF 00050985. (Ex. 18.) 
The metadata indicates the PDF was allegedly created on October 22, 2012 at 9:09:53 AM 
UICFL. 

36. | extracted five embedded font files contained within the PDF itself. These font 
files each contained cryptographic signatures from Microsoft that indicate the fonts themselves 
were not created until 2015. (Exs. 19-23.) Each of these font files also contained copyright 
information which indicated they were copyrighted in 2015. (Ex. 24.) 

37. It is not possible for a PDF that was created in 2012 to contain embedded font files 
that did not exist until 2015. Accordingly, it is my opinion that DEF 00050985 is not an authentic 


document and was not created until at least May 22, 2015. 


12 
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D. DEF_00027291 

38. Ireviewed DEF 00027291, which is a PDF of a purported email exchange between 
Dave Kleiman and the Defendant in September and October 2012 regarding an alleged Seychelles 
trust. 

39. There are two cryptographic signatures visible in DEF 00027291, both allegedly 
created by Dave Kleiman. I used GnuPG to extract certain information from the signatures. (Exs. 
25-26.) The data associated with these GnuPG outputs indicates that the cryptographic signatures 
associated with DEF 00027291 were created in February and March 2014, respectively, according 
to the computer on which the signatures were created — more than a year after the date associated 
with the exchange in the text of the PDF and almost a year after Dave Kleiman died. 

40. The cryptographic signature on page | of the PDF also contains the version number 
of the GnuPG program purportedly used to create it: “GnuPG v2.0.20 (MingW32).” However, 
based on my review of the GnuPG version history, GnuPG v2.0.20 was not released until May 10, 
2013, (Ex, 27.) 

41. Accordingly, it is my opinion that DEF 00027291 does not appear to be an 


authentic email from Dave Kleiman to Craig Wright but instead appears to be manipulated. 


E. DEF _00028008 
42. I reviewed DEF 00028008, which contains a purported email sent by Dave 
Kleiman to the Defendant in October 2012 regarding a purported list of keys allegedly held in a 


trust. DEF_00028008 was originally produced by the Defendant as a .mht file.° 


> The Defendant later produced a .msg file corresponding to this email; however, given that the 
alleged email from Dave Kleiman was “forwarded” to John Chesher and CC’ed to Ramona Watts, 
any email header information contained therein reflects the email from Craig Wright and not the 
alleged email from Dave Kleiman. 


13 
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43. DEF 00028008 contains a cryptographic signature allegedly created by Dave 
Kleiman. I used GnuPG to extract and analyze certain information from the GPG signature and I 
have attached that output at Exhibit 28. The GnuPG output indicates that the cryptographic 
signature associated with DEF 00028008 was created on or about March 2, 2014 according to the 
computer on which the signature was created—approximately one year after Dave Kleiman died. 

44. Accordingly, it is my opinion that DEF 00028008 does not appear to be an 


authentic email from Dave Kleiman to Craig Wright but instead appears to be manipulated. 


F. DEF _00056406 

45. I reviewed DEF 00000204, DEF_00013376, and DEF 00023252, each of which 
contains a series of Bitmessages purportedly sent by Dave Kleiman to the Defendant. Bitmessage 
is a decentralized and encrypted communications protocol that can be used by one person to send 
encrypted messages to another person. Some of these messages display sent or received dates that 
pre-date November 19, 2012. 

46. J interviewed Jonathan Warren (the creator of Bitmessage) via telephone on June 
25, 2019, and also reviewed the Bitmessage software’s revision history on GitHub.° Based on my 
review, I determined that the Bitmessage software was not made publicly available until November 
19, 2012, 

47. Jalso have reviewed Jonathan Warren’s deposition taken on July 24, 2019. Based 
on my review, I determined that that the Bitmessage “white paper” was not published until after 
the Bitmessage software was posted to Github, that Warren had not shared the Bitmessage software 
or source code with anyone prior to posting it on Github on November 19, 2012, and that it would 


not have been possible for anyone except Warren to run Bitmessage prior to that date. (Warren 


6 https://github.com/Bitmessage/PyBitmessage 





14 
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Dep. at 12:1—15:6.) Based on my review I also determined that version 4 Bitmessage addresses 
were not available before August 12, 2013. (Id. at 22:4—7.) 

48. I also reviewed the Bitmessage addresses saved in the Defendant’s address book 
that are associated with Dave Kleiman and Craig Wright which were produced by the Defendant 
as DEF_ 00013147. I determined that both of these addresses are “version 4” Bitmessage addresses. 
I then reviewed the GitHub commit history for Bitmessage and determined that support for version 
4 addresses was not introduced until August 2013—almost a year after the messages were 
purportedly sent and approximately four months after Dave Kleiman died. 

49. As these alleged Bitmessages are dated prior to the release of the Bitmessage 
software itself and are sent and received from version 4 addresses, it is my opinion that 
DEF_00000204, DEF_00013376, and DEF 00023252 each contain Bitmessages that are not 
authentic messages sent from or to Dave Kleiman, but have been manipulated to appear that way. 
Specifically, the messages in these documents dated October 22, 2012, November 6, 2012, 
November 7, 2012, November 8, 2012, November 11, 2012, and November 13, 2012 are not 


authentic messages sent from or to Dave Kleiman. 


G. DEF_00051013 
50. I reviewed DEF 00051013, which is a PDF of a purported invoice from High 
Secured.com dated May 25, 2015. I understand that the Defendant has sworn to the authenticity 
of this document through a declaration submitted to this Court. (Ex. 2.) 
51. I reviewed DEF 00051013 by analyzing the internal structure of the PDF file. I 


have attached the relevant outputs at Exhibit 29. 


Is 


Case 9:18-cv-80176-BB Document 548-3 Entered on FLSD Docket 06/01/2020 Page 16 of 30 


52. Based on review of these outputs, it is my opinion that DEF 00051013 was 
manipulated and therefore is not authentic. I have attached as Exhibit 30 a demonstrative 


identifying in red all edits that were made to the invoice. 


H. DEF _00022263 

53. [reviewed DEF_00022263, which is a PDF of a purported email exchange between 
Dave Kleiman and Craig Wright on or about December 15, 2012 regarding the potential purchase 
of a shelf company. 

54. I extracted and analyzed the metadata contained within DEF_ 00022263. (Ex. 31.) 
The metadata indicates that the PDF was created on March 26, 2014 at 1:19 PM (UTC+11) from 
an email in Microsoft Outlook. The PDF was last modified approximately 2 minutes later at 1:21 
PM. I analyzed the internal structure of the PDF file and identified TouchUp_ TextEdit markers 
indicating that modifications had been made to the body of the document. (Ex. 32.) 

Oa: The visible content of the PDF contains a cryptographic signature allegedly created 
by Dave Kleiman. I analyzed the signature using GPG and determined the signature was created 
on or about March 2, 2014 according to the computer on which it was created—approximately one 
year after Dave Kleiman died. (Ex. 33) 

56. Based on the above findings, it is my opinion that DEF_00022263 was manipulated 


and is therefore not authentic. 


I. DEF _00022274 
57. [reviewed DEF 0002274, which is a PDF of a purported email exchange between 
Dave Kleiman and Craig Wright on or about December 6, 2010 regarding the setup of a trust and 


the use of certain source code. 


16 
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58. The first email in the exchange was sent by Dave Kleiman to two email addresses 
associated with Craig Wright: craigswright@acm.org and craig@panopticrypt.com. The last 
message in the exchange was sent from craig@rcjbr.org to an undisplayed address associated with 
Craig Wright. 

59. I reviewed the domain registration records for panopticrypt.com and rejbr.org using 
the DomainTools service. (Exs. 34 and 35, respectively.) Based on the information provided by 
DomainTools, I determined that the domain panopticrypt.com was first registered on or about June 
18, 2011, and rejbr.org was first registered on or about November 2, 2011. In other words, neither 
domain existed at the time the purported email exchange allegedly occurred in December 2010. 

60. Based on the above findings, it is my opinion that DEF 0002274 was manipulated 


and is therefore not authentic. 


J. DEF _00027287 and DEF_00027288 

61. [reviewed DEF 00027287, which is a PDF of a purported email sent from “Dave 
Klieman (sic)” to Uyen Nguyen on or about 8:19:03 AM on Thursday, December 20, 2012 in 
which Dave allegedly offers Uyen a role as a director of W&K Information Defense Research 
LLC. I also reviewed DEF_00027288, which is a PDF of a second purported email sent from Dave 
to Uyen less than an hour later in which Dave thanks Uyen for accepting the role. 

62. I extracted and analyzed the metadata associated with DEF 00027287 and 
DEF _ 00027288 (Exs. 36 and 37, respectively.) The metadata associated with DEF 00027287 
indicates the PDF was created on or about April 17, 2014 at 8:23:41 AM using Acrobat PDFMaker 
11 for Microsoft Outlook on a computer whose time zone was consistent with Sydney, Australia 


(UTC+10), and then modified less than five minutes later. 


17 
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63. The metadata associated with DEF 00027288 indicates the document was created 
at the exact same date and time as DEF 00027287, but the ModifyDate fields indicate that 
DEF_00027288 was modified approximately five minutes after DEF 00027287 was last modified. 
Further, DEF 00027287 and DEF 00027288 contain the same DocumentID but different 
InstanceID values, which indicates that they two versions of the same original document. 

64. I analyzed the internal structure of DEF 00027287 and DEF 00027288 and 
identified several changes that had been made to both PDFs after they were created. (Exs. 38 and 
39, respectively.) In particular, the internal structure of DEF 00027287 indicates that the text 
associated with the “From:”, “To:”, and “Date:” fields at the top of DEF_00027287 were edited as 


shown in Figure 4. 


FIGURE 4. Screenshot of the rendered PDF from DEF 00027287 with the corresponding text 
modifications made to the email header highlighted in red. 


From: Dave Klieman 


To: Uyen Nguyen (uyen.nguyent@yahoo.com) 


Subject: Apppointment letter 
Date: Thursday, 20 December 2012 8:19:03 AM 





65. I compared the edits made in DEF 00027288 to those made in DEF 00027287 and 
determined that the “Date:” field was modified to make it appear as if it were sent less than an 
hour after DEF_ 00027287 was allegedly sent. Additionally, the body of the email was altered from 
the body of the email contained in DEF_00027287. 

FIGURE 5. Screenshot of the rendered PDF from DEF 00027288 with the previous text 


modifications from DEF 00027287 highlighted in red and the subsequent modifications made in 
DEF _ 00027288 highlighted in blue. 


From: Dave Klieman 


To: Uyen Nguyen (uyen.nguyent@yahoo.com) 


Subject: Apppointment letter 
Date: Thursday, 20 December 2012 9:11:14 AM 
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66. The visible content of DEF 00027287 also contains a cryptographic signature 
purportedly created by Dave Kleiman. I extracted and analyzed the cryptographic signature using 
GPG. (Ex. 40.) The GnuPG output indicates the signature was created on or about March 12, 2014 
according to the computer on which the signature was created; (ii) the signature was created with 
Key ID B885B17AC45BED 1B which is purportedly associated with Dave Kleiman; and, (iii) the 
signature matches the content of the email shown in DEF 00027287. DEF 00027288 does not 
contain a cryptographic signature. 

67. I also reviewed DEF 00030487, which is a copy of an email sent from 
craig.wright@hotwirepe.com to craig.wright@itmasters.edu.au on or about April 16, 2014 at 
10:21 PM UTC. The content of the email is identical to the content of DEF 00027287, including 
the cryptographic signature. The email also contains the same misspelled “Subject” line, which 
reads “Apppointment (sic) letter.” 

68. I extracted and analyzed the email headers associated with DEF 00030487. (Ex. 
41.) The email headers indicate the message originated from IP address 58.160.32.123, which is 
associated with Eastern Australia according to MaxMind’s GeolP Precision service. (Ex. 42.) 

69. Based on the findings above, it is my opinion that DEF 00027287 is a forgery 
created from an email sent by the Defendant to himself in April 2014 and modified to appear as if 
it was sent from Dave Kleiman to Uyen Nguyen in December 2012. DEF 00027288 is also a 
forgery created approximately five minutes after DEF 00027287 by subsequently modifying 
DEF _ 00027287 to make it appear as if it was a second email sent from Dave Kleiman to Uyen 


Nguyen approximately an hour later. 
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K. DEF_00027300 

70. [reviewed DEF_00027300, which is a PDF of a purported email exchange between 
Dave Kleiman and Craig wright on or about June 27, 2011 in which Craig makes several 
allegations about the Australian Tax Office (“ATO”) and an ATO employee named Adam 
Westwood. 

71. I extracted and reviewed the PDF metadata contained within DEF 00027300. (Exs. 
43-44.) The metadata indicated the document was created using Acrobat PDFMaker 11 for 
Microsoft Outlook on or about April 17, 2014 at 2:46 PM in a time zone associated with eastern 
Australia (UTC+10). The metadata objects further indicated that the PDF was modified at least 
twice: once at 3:11 PM (approximately 25 minutes after it was created), and again six minutes later 
at 3:17 PM. (Exs. 43 and 44, respectively.) Both modifications were made on a computer whose 
time zone was UTC+10. 


FIGURE 6. PDF object code extracted from DEF 00027300 which contains references to a 
mailing list that is not associated with the body of the purported email. 
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72. I also analyzed the internal structure of the PDF file and identified within it the PDF 


object code shown in Figure 6. (Ex. 45.) The PDF object code defines several links to email 
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addresses and other URLs referenced in the body of the purported email. The PDF object code 
also defines links and email addresses not referenced in the visible text of the purported email 
associated with an email-based mailing list for the discussion of computer forensics (the “CCE2” 
list). Both Craig Wright and Dave Kleiman appear to have been members of the mailing list based 
on my review of email messages produced by the Defendant. 

73. — Lidentified DEF_ 00014589 among documents produced by the Defendant, which 
is a native .msg file of an email sent to the same “CCE2” mailing list referenced in the PDF object 
code contained shown in Figure 6. Exhibit 46 shows the email headers contained in 
DEF _ 00014589, which indicate the email was sent by dave@davekleiman.com to the CCE2 
mailing list, and was subsequently received by craig@integyrs.com at the exact same date and 
time as the alleged email in DEF_00027300, but with entirely different email text. 

74. Based on the above findings, it is my opinion that DEF_00027300 is a forgery made 
in April 2014 by creating a PDF of an email sent to a mailing list by Dave Kleiman in June 2011, 
and then modifying the PDF to make it appear as if it was an unrelated email exchange between 


Craig Wright and Dave Kleiman in 2011. 


L. DEF _00027303 
75. [reviewed DEF 00027303, which is a PDF file of a purported email from Dave 
Kleiman to Craig Wright on or about December 10, 2012 regarding the establishment of a “shelf 
company” called Design by Human. 
76. extracted and analyzed a PDF metadata object from DEF_ 00027303. (Exs. 47- 
48.) The metadata indicates the document was created on or about March 26, 2014 at 1:18 PM in 
a time zone associated with eastern Australia (UTC+11). It was modified approximately two 


minutes later. 
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Tis The visible content of the purported email in DEF 00027303 contains a 
cryptographic signature allegedly created by Dave Kleiman. I analyzed the signature using GPG. 
(Ex. 49.) Based on the GPG output, I determined the signature was created on February 28, 2014 
at 5:49 AM UTC according to the computer on which it was created. 

78. lL identified DEF 00068505 among documents produced by the Defendant, which 
is a native .msg email file representing an email sent from craig@rcjbr.org to craig@rcjbr.org on 
or about February 28, 2014 at 5:15 AM UTC. (Ex. 50.) DEF 00068505 contains the same text as 
DEF _00027303, but with a different cryptographic signature allegedly created by Dave Kleiman. 

79.  Lanalyzed the signature in DEF 00068505 using GPG. (Ex. 51.) Based on the GPG 
output, I determined the signature was created on February 28, 2014 at 5:14 AM UTC according 
to the computer on which it was created—approximately one minute before DEF 00068505 was 
sent from the Defendant to himself and approximately 35 minutes before the signature in 
DEF _00027303 was created. 

80. Based on the above findings, it is my opinion that DEF 00027303 is a forgery made 
from an email sent from craig@rcjbr.org to craig@rcjbr.org on or about February 28, 2014, 
creating a PDF of that email, and modifying the PDF to appear as if it represented an email sent 


by Dave Kleiman to Craig Wright. 


M. DEF_00027289 
81. I reviewed DEF 00027289, which is a PDF of a purported email from Dave 
Kleiman to Uyen Nguyen on or about October 13, 2012 at 10:16 AM in which Dave allegedly 
appoints Uyen as “COO” of a UK-based company identified by the number 08248988. I 
understand from DEF 00027303 that the numeric company identifier 08248988 corresponds to an 


alleged shelf company called Design by Human. 
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82. The subject of the email is “Nomination”. In the content of the purported email, 
Dave states that he has attached an appointment letter for Uyen to sign. The “Attachments” field 
of the purported email further references an attached file named “Untitled attachment 00958.txt.” 
I extracted the attached file from the PDF, the content of which is shown in Figure 7. The 
attachment refers to an email-based mailing list related to computer security and appears to be 


unrelated to the appointment of Uyen Nguyen as COO of Design by Human. 


FIGURE 7. Contents of “Untitled attachment 00958.txt” extracted from DEF 00027289. 


Yasml mailing list 


Yasml@opensecnet.com 


https://www.opensecnet.com/mailman/listinfo/yasml 


DO NOT SHARE ANYTHING ON THIS LIST UNLESS YOU GET PERMISSION FROM THE ORIGINAL SOURCE. WHEN 
SHARING DO NOT MENTION THIS LIST, YOU MAY MENTION THE ORIGINAL SOURCE IF THEY ALLOW IT. 





83. IL extracted and analyzed the PDF metadata contained within DEF 00027289. (Ex. 
52.) The CreateDate field in the metadata object indicates that the PDF was created on or about 
October 13, 2012 at 1:22 PM in a time zone associated with eastern Australia (UTC+11) — 
approximately three hours after the purported email in DEF_00027289 was allegedly sent. The 
PDF was last modified on or about April 15, 2014 at 10:58 AM (UTC+10). 

84. I identified DEF 00014910 among documents produced by the Defendant, which 
is an email by Dave Kleiman to the same yasml@opensec.net mailing list referenced in the 
attachment in Figure 7. The subject of the email is the subject “Member Nomination”. 

85. I extracted the email headers from DEF 00014910. (Ex. 53.) According to the 


email headers, the email was received by craig.wright@information-defense.com on or about 
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October 12, 2012 at 4:16 PM (UTC-7) which is equivalent to 10:16 AM (UTC+11) — the exact 
same date and time shown in DEF _ 00027289. 

86. I analyzed the internal PDF file structure of DEF 00027289. Among the 
modifications made to the PDF, I identified the section of PDF object code in Exhibit 54 which 
indicates that the recipient of the email was changed to Uyen Nguyen, and that the original contents 
of the email itself had been removed and replaced with the text visible in DEF_ 00027289. 

87. Based on the above findings, it is my opinion that DEF 00027289 is a forgery made 
by creating a PDF of an email sent to a mailing list by Dave Kleiman in October 2012, and then 
modifying the PDF to make it appear as if it was an unrelated email sent by Dave Kleiman to Uyen 


Nguyen on the same date and time as the original email. 


N. DEFAUS_00521091 

88. [reviewed DEFAUS_00521091, which is a purported certificate of registration for 
Panopticrypt Pty Ltd issued by the Australian Securities and Investments Commission (“ASIC”) 
on June 20, 2011. 

89. I extracted and analyzed the PDF metadata contained within DEFAUS_00521091. 
(Ex. 55.) The metadata shows the PDF was created on or about April 17, 2013 at 7:13 AM—almost 
two years after the certificate was allegedly issued. The PDF metadata also indicated the document 
was later modified on or about October 23, 2014 at 7:39 AM on a computer with a time zone 
associated with eastern Australia (UTC+11). 

90. I identified DEF 00045255 among the documents produced by the Defendant, 
which is a similar certificate of registration of a company issued by ASIC to Coin-Exch Pty. Ltd. 


on or about April 17, 2013. I extracted and analyzed the PDF metadata contained within 
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DEF _ 00045255 and determined it had the exact same CreateDate as DEFAUS_00521091. (Ex. 
56.) 

91. I also analyzed the internal structure of DEFAUS_ 00521091. I identified PDF 
object code which indicated that the company name, company number, and issue date had been 
modified. (Ex. 57.) 

92. Based on the above findings, it is my opinion that DEFAUS_00521091 is a forgery 
created on or about October 23, 2014 by modifying a certificate of registration issued to Coin- 
Exch Pty Ltd in April 2013 to make it appear as if the certificate was issued to Panopticrypt Pty 


Ltd in June 2011. 


O. DEF_00029509 

93. I reviewed DEF 00029509, which is a PDF containing several purported email 
exchanges between the Defendant and ATO employees. The individual email exchanges within 
DEF_00029509 are labeled DM1 through DM7. Based on my review of the document, as well as 
other documents produced by the Defendant, the authenticity of some portions of the email 
exchanges appear to be disputed by the ATO. 

94. I identified DEF 00030109 among the documents produced by the Defendant, 
which is a .msg file containing a purported conversation between the Defendant and ATO 
employee Hao Khuu. The text of DEF_00030109 is the same as the email conversation containing 
DM1 and DM2 from DEF 00029509. I also identified DEF 00074274 among the documents 
produced by the Defendant, which appears to be a PDF of DEF_00030109. DEF 00074274 was 
named “Hoa Khuu emails altered 2.pdf’” when produced by the Defendant. 

95. [also identified DEF_00030131 among the documents produced by the Defendant, 


which is a .msg file containing a second purported conversation between the Defendant and Khuu. 
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The text of DEF 00030101 is the same as the email conversation containing DM3 and DM4 from 
DEF _ 00029509. I also identified DEF 000167853 among the documents produced by the 
Defendant, which appears to be a PDF of DEF _ 00030131. DEF 000167853 was named “Hoa 
Khuu emails altered.pdf’ when produced by the Defendant. 

96. [also identified DEF_ 00046674 among the documents produced by the Defendant, 
which is a .msg file containing a third purported conversation between the Defendant and Khuu. I 
also identified DEF 00074276 among the documents produced by the Defendant, which appears 
to be a PDF of DEF 00046674. DEF 00074276 was named “Hoa Khuu emails from ATO 
unaltered.pdf’ when produced by the Defendant. The text of DEF 00046674 is substantially 
different from DM1, DM2, DM3, and DM4. 

97. I extracted the email headers from DEF 00046674, DEF_00030131, 
DEF _00030109. (Exs. 58 - 60.) Each email header includes a “DKIM-Signature” field, which is a 
unique cryptographic signature computed by the sender’s email server over several fields of the 
email, such as the subject, date, and, in this case, email content. The DKIM-Signature field is 
identical for all three emails, including timestamp and hash of the message contents, despite having 
different timestamps and contents. 

98. [also identified DEF_ 00030136 among the documents produced by the Defendant, 
which is a .msg file containing a purported email from ATO employee Brigid Kinloch to the 
Defendant and John Chesher. The text of DEF 00030136 is the same as DMS from 
DEF _ 00029509. I also identified DEF 00074267 among the documents produced by the 
Defendant, which appears to be a PDF of DEF 00030136 with certain text highlighted. 


DEF_00074267 was named “Birgid Kinloch email altered.pdf’ when produced by the Defendant. 
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99. I extracted the email headers from DEF 00030136. (Ex. 61.) The email headers 
include two “Content-Type” headers, which is used to instruct an email client how to interpret the 
contents of the email. One Content-Type header contains a timestamp corresponding to 4:33:27 
AM on Friday, November 1, 2013 (UTC). The “Date” field in the email header field, on the other 
hand, indicates the email was sent at 5:03:12 AM on Friday, November 1, 2013 (UTC). 

100. Tidentified DEFAUS 00654293 among the documents produced by the Defendant, 
which contains an email sent from Brigid Kinloch to the Defendant and John Chesher. The text of 
the email is similar to DM5, but certain parts of the two messages differ. I extracted the email 
headers from DEFAUS_00654293. (Ex. 62.) The headers indicate the email was sent at 4:33:27 
AM on Friday, November 1, 2013 (UTC) — the exact same time as the Content-Type header in 
DEF _00030136. 

101.  Talso identified DEF 00074272 among the documents produced by the Defendant, 
which is a PDF containing an email exchange between the Defendant and Brigid Kinloch. The 
first email chronologically in the exchange is identical to the text of DEFAUS_ 00654293. 
DEF _ 0007472 was named “Birgid Kinloch email from ATO unaltered.pdf” when produced by the 
Defendant. 

102. Talso identified DEF 00030137 among the documents produced by the Defendant, 
which contains an email sent from ATO employee Celeste Salem to the Defendant. The text of 
DEF _00030137 is the same as DM6 from DEF 00029509. I extracted the email headers from 
DEF _ 00030137. (Ex. 63.) The “Date” field in DEF 00030137 purports that the email was sent on 
or about July 15, 2013 at 4:52:43 PM (UTC+11). Conflictingly, the “X-OriginalArrivalTime” and 
multiple “Received” header fields indicate the email was sent on or about July 15, 2014— 


approximately one year after the purported date of the email. Additionally, the final email server 
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in the email’s path references Microsoft SMTP Server 14.3.158.1, which is a version of the 
Microsoft Exchange email server software which was not released until August 8, 2013. (Ex. 64.) 

103. Talso identified DEF 00023312 among the documents produced by the Defendant, 
which contains an email purportedly sent from the Defendant to ATO employee Shalyce Dempster 
on or about July 18, 2013. The text and image within DEF 00023312 are identical to DM7 from 
DEF _ 00029509. I also identified DEF_ 00035418, which is a PDF of an email sent by Defendant 
to ATO employee Michael Hardy and Jamie Wilson on or about September 12, 2013. The email 
includes the July 18 email allegedly sent to Shalyce Dempster and has the same timestamp; 
however, the text of the July 18 email is different from that of DEF_ 00023312. 

104. Based on the above findings, it is my opinion that DEF 00029509 contains multiple 
forged emails that were created by modifying the contents of legitimate emails from ATO 


employees. 


VI. RESERVATION OF RIGHTS 

105. I reserve all rights to modify or supplement this Report if I become aware of any 
errors or misstatements, or if I become aware of other data or other evidence relevant to my 
position. I also reserve all rights to respond to any statements made by the Defendant or his 
witnesses or expert witnesses to which a response is appropriate. 

106. JI understand that several depositions remain to be taken in this matter. I may also 
modify or supplement my opinions in view of opinions or arguments made by any person, 
including Defendant’s counsel and anyone engaged by Defendant to provide opinions. I may also 
modify or supplement my opinions if the Court provides litigants with any pertinent additional 


rulings. 
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107. I may expand or modify my opinions as my investigation and study continues and 
supplement my opinions in light of any relevant orders from the Court or in response to any 
additional information I review, and matters the Defendant raises, or any opinions Defendant’s 
experts may provide. 

108. I may prepare and use graphics, images, photographs, video recordings, test data, 
animations, and other presentation aids to help me explain my opinions. I may also use images, 
photographs, graphics, animations, and other presentation aids prepared by other witnesses to help 


me explain my opinions. 


I declare under penalty of perjury that the foregoing Report is true and accurate. 


Dated: December 13, 2019 


Myon 


Dr. Matthew J. Edman 
Lana‘i, HI 
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Materials Considered 
Declarations 
May 8, 2019 Declaration of Craig S. Wright 
May 13, 2019 Declaration of Craig S. Wright 


Production Documents 


DEF _00000204 
DEF 00002413 
DEF 00002414 
DEF 00002415 
DEF 00002416 
DEF 00013147 
DEF _00013188 
DEF_00013189 
DEF _00013376 
DEF_00013459 
DEF _00014589 
DEF 00014910 
DEF_00016785 
DEF 00022263 
DEF 00022274 
DEF 00023252 
DEF 00023312 
DEF_00027287 
DEF _00027288 
DEF_00027289 


DEF 00028008 
DEF 00029509 
DEF 00030101 
DEF 00030109 
DEF 00030131 
DEF 00030136 
DEF 00030137 
DEF 00030487 
DEF 00035418 
DEF 00045255 
DEF 00046674 
DEF 00050985 
DEF 00051013 
DEF 00056406 
DEF 00068505 
DEF 00074267 
DEF 00074272 
DEF 00074274 
DEF 00074276 
DEF 00079344 


DEF 00027291 DEFAUS_ 00521091 
DEF _00027300 DEFAUS_ 00654293 
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Additional Materials 

All Exhibits and Demonstratives attached to this Report. 

Telephonic conversation with Jonathan Warren dated June 25, 2019. 
Deposition of Jonathan Warren (July 24, 2019). 
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